Security Orchestration, Automation & Response (SOAR)
-
SOAR Playbooks27 Topics
-
Communication with a Known Bad
-
Denial of Service
-
Denial of Service
-
False Positive
-
Improper Disposal of Confidential Documents
-
Improper Disposal of Digital Asset
-
IR Playbook - Suspected Insider Threat
-
IR Playbook - Suspected System Intrusion
-
IR Playbook - Third Party Breach
-
Lost / Stolen Laptop
-
Lost or Stolen Smart Device
-
Lost or Stolen Storage Device
-
Malicious Code
-
Malware
-
Malware Detected on Endpoint
-
Peer-2-Peer File Sharing
-
Phishing
-
Port Scan Activity
-
Privileged Account Creation
-
Social Engineering
-
Suspected Data Breach
-
Suspected Phishing
-
Suspicious Network Activity
-
Suspicious System Activity
-
System Probes & Scanning
-
Unauthorised Network Activity
-
Web Application Compromise
-
Communication with a Known Bad
-
SOAR Platform
-
Configuration Refresh
-
Vulnerability Management
-
Issue Management
-
SOC Program Management
-
Incident Response
-
Air-Gapped Implementation
-
Non-Functional Requirements (NFR)
-
Business Case for SOAR
-
Functional Requirements
-
Technical Building Blocks
-
Operational Building Blocks
-
Platform Maintenance
-
Threat Hunting
-
SOAR Vendors
Participants3
Denial of Service
Detect/Analyze
Quantify the DoS attack and traffic
Review OS and application logs
Research current attack intelligence and recent vulnerabilities
Update internal management team as appropriate (assessment)
Respond
Contact your ISP
Notify legal counsel of any illegal or inappropriate activity
Contact owners of systems being used to mount the DoS attack
Notify constituents (status update)
Notify external parties as appropriate
Notify law enforcement
Throttle or block DoS traffic
Terminate unwanted DoS connections or processes
Switch to alternate sites or networks
Configure egress filters
Harden and/or patch all other vulnerable systems
Remove temporary containment measures
Notify computer security organizations and resources
Notify HR
Notify public relations department
Review and respond to contractual obligations related to intrusion or loss of service
Post-Incident
Notify internal management chain (resolution)
Notify constituents (resolution)
Properly dispose of incident information
Post-incident review
Generate incident report
Update policies and procedures
PHASE Detect/Analyze
Quantify the DoS attack and traffic
Review OS and application logs
Research current attack intelligence and recent vulnerabilities
Update internal management team as appropriate (assessment)
Complete
Initial